Synology NAS targeted by SynoLocker ransomware
Updated from: August 12, 2014 initial release
Synology users were told to update DiskStation NAS drives after SynoLocker, a “cryptolocker”-style ransom attack. Synolocker is not a variant of the infamous Cryptolocker virus we reported on earlier, but is of the same type – a ransomware-style virus that holds its victim’s files to ransom, making the virus cleanup incredibly difficult to do. Their methods involve encrypting the victim’s files and then demanding money to obtain the decryption key, usually the payment is in the form of BitCoin or anonymous digital currency.
Users on the weekend reported finding a message from the crypto-ransomware operators demanding 0.6 Bitcoin (or around $350 US), for the decryption key. Victims would need to install a Tor browser to access the hidden website where they could make the payment, receive the key, and allow decryption. At this time, there is no other method to recover files short of recovering from a backup.
According to Synology, users have been reporting that the attacks are only affecting Synology NAS devices running version 4.3 of its DiskStation Manager (DSM) and not DSM 5.0, which included fixes released last December for two critical flaws that give unauthorised access via the Windows File Service and File Station.
The malware starts encrypting files, telling users that this process is under way. This implies that unencrypted files can still be copied at that point, but how many will depend on the number of files on the affected drive and how long the encryption process has been running. The best course of action is to turn off the drive immediately and take advice.
Detection and prevention rates will be very low as SynoLocker is completely new and attacks the NAS directly, so it is unlikely that any workstation antivirus products will detect it.
Synology users will also need to think about how the malware reached their NAS in the first place and check their modem security, especially opened ports to the NAS and their computer(s).
An official Synology statement said that the issue seemed to be affecting DiskStations running Disk Station Manager 4.3-3810 or earlier.
Update the DSM
Users should update to the latest version by going to Control Panel > DSM Update or manually via the Synology support site.
Updated Information
For more updated information see the Bleeping Computer article and discussion at Bleeping Computer’s article & posts on Synlocker and obtain professional virus cleanup.